Model: ThinkPad T480
Serial Number: PF-1NSAAJ
Motherboard Model: ET480 NM-B501 - rEV. 1,0 - 2018-03.03

Issue:
I am unable to remove the BIOS supervisor password. I have tried all recommended procedures, including the Lenovo Auto‑Patcher, but I am still locked out.

What I have tried:

Used Flashrom and a CH341A SPI programmer to read and write the BIOS chip.

Worked from both Ubuntu and Windows 11 operating systems during the process.

Flashed both 8MB and 4MB dumps (attached below).

Ran the latest Lenovo Auto-Patcher script on my BIOS dumps.

Flashed the patched BIOS back to the chip.

I also tried the original BIOS dump for recovery.

Current symptoms:

With patched BIOS: The laptop does not boot and emits a continuous siren/alarm sound.

With original BIOS: The laptop boots but asks for the supervisor password (which I do not have).


Additional info:

The board label says MN-B501.


Thank you in advance for your help! Any guidance or clean/unlocked BIOS would be greatly appreciated.

method 1 should work
Method 2 doesn't work. Password is in EC. Can't decrypt. It's not registered in the BIOS.
Method 3: You must use a USB keyboard because the shunt disables the keyboard. Watch the other videos to understand, the timing of the shunt is important
f1 is pressed before the shunt.

serial number, type etc ... respect rules please

post merged...next time look for a thread with the name and model, motherboard model of the laptop, and post there, if you can't find it, then make a new thread..

I just saw that I uploaded the file, but it's 6MB. The original BIOS is 16MB, but when I run the autopatcher, it doesn't work and the siren is activated.

Hi,

you can use any of 25Q128BV or 25Q128FV they share same chip ID as your IC 25Q128JVSQ (see page 21).

Or you can add your chip into list of supported chips yourself. Just edit file chiplist.xml,

find line

add after it

save the file.

Now try identify chip in AsProgrammer and you will see your chip in the list.

Note: you can download more recent AsProgrammer 3.7 or AsProgrammer 2.1.2

Polar Bear

Hello Knucklegrumble,

per your suggestion I would like to report unsuccessful case with Lenovo T480s. I followed your procedure and everything was going according plan except that after restoring original BIOS and reboot laptop asks for a password.

I've made a post for my case with a details. I would appreciate if you take a look at it.

Thank you for your work and help

Polar Bear

Hi,
when i try to autopatch a file the fill generated and immediately deleted, pls assist me for this problem, Thanks

Hello,

A friend of mine approached me with request for help to recover access to a few electronic devices left after tragic death of his son. One of the devices is a Lenovo T480s laptop with UEFI Supervisor laptop. I did my research on internet for possible methods and couple of them lead to BadCaps forum.

Laptop: Lenovo T480s
MB: ET481 NS-B471 Rev: 1.0 2017-10-30
Type: 20L7-002CUS
S/N: PC-0WWFM7 18/08
BIOS IC: 25Q128JVSQ

Method #1: Lenovo autopatcher
Video: https://www.youtube.com/watch?v=s9XlN2Hl0ag
lenovo_autopatcher_0.2
The BIOS has been read and stored 3 times in a files, CRC is the same for each file. The BIOS was processed by lenovo_autopatcher_0.2 successfully. The result bin file was written into the BIOS chip. At next laptop's boot a procedure to disable TPM was completed successfully. Then original BIOS was written/restored into BIOS chip. Following boot of the laptop still asks for password input.

The procedure was completed/repeated a few times (with connected/disconnected batteries) with exactly same result.

Method #2: Supervisor password decryption
Video: https://www.youtube.com/watch?v=IhRw7ePhLKs
Followed the video in attempt to decript Supervisor's password. Using UEFItool was found padding value (00700000h) and BIOS file was scanned for an offset (0003FC20h). Looking at 0073FC20h in BIOS file the password has 168 bites and bytes values way beyond keyboard scan codes. It is considered that this attempt/method is not applicable to Lenovo T480s.

Keyboard scancodes: https://aeb.win.tue.nl/linux/kbd/scancodes-1.html

Method #3: JLPC ADC shorting to GND
Video: https://www.youtube.com/watch?v=D-PFVJpBcTY
URL: https://www.badcaps.net/forum/troubl...-ec-pwd-bypass

Followed the video, in many attepts to GND any pin 4,6,8,10 (ADC0:3) on JLPC pads and only once I was offered to press F1 go get into BIOS settings, for some unexplicable reason keyboard refused to respond on key presses. All following attempts was unsuccessful so far (to catch a right timing to corrupt data exchange and get into BIOS settings).

Please suggest how Supervisor password can be remove.
Your help is greatly appreciated.

when he will discover your method he will realize he waste his time researching and writing his thesis. Imagine: after reading his thesis in front of colleagues and professors, the dumb of the class rises 2 fingers and says: I know a faster and better way!
On a serious note, I bet you didn't discover your method by accident, you searched a way to interrupt communication between UEFI and EC and you found it.

The conclusion of his research for this thesis is :

that he doesn't do anything well, and yet, it works.




​

now we wait from him to document your method of bypassing SVP. I think in 2028!

impressive, well done, great job

Only programmer

it's intel, ok I will try second solution. thank you

AMD or Intel ?? intel not work
L14 L15 complicated model
look at the other posts in
https://www.badcaps.net/forum/troubl...-ec-pwd-bypass



​

Hi Maxpower3
I have Lenovo L15 with part number GL4A0/GL5A0 NM-C631 and I followed your guidance for NPCE68APA0DX by make a short connection pin 1 or 128 with ground for two second when I can see Lenovo logo but problem is that laptop stuck in Lenovo logo. what am I doing wrong?

This system does not work for 32Mbytes. This system is only valid for 16MB. I have done it many times.​

EC MEC1503 no solution

I'm sorry. This my model and original bios
Serial Number R9-10W8WV
Type Number 20UN-0001JP